I have just installed Security Onion distro based on ubuntu. This distro does a great job of combining multiple tools like snort/suricata,sguil,snorby,elsa,bro ids,squert. In my Security Onion installation interface has been port mirrored. But all the alerts I have seen are from source IP of our local network, both private and public. I could see outside ip's in elsa or squert pads data, but not in the snorby alerts. seems little strange to me, as there has been a known dos attempt wid an outside ip. My bpf also not stopping any outside ip as well. Wondering possible reasons for such behaviour .